Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 12:28
Static task
static1
Behavioral task
behavioral1
Sample
9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe
Resource
win10-en-20211014
General
-
Target
9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe
-
Size
232KB
-
MD5
d95d21302b16c737367e52f4cc9254eb
-
SHA1
08395473cb04aa9c9903c2c1f6bb58db12c07456
-
SHA256
9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2
-
SHA512
d379b73dfb2d6c541e16fa1a65c6db1c7d9d977fab3af81a81d855c954e9f45e5d10f8a49a430615fc7e8d8ddb584e4e199fdda850799a450b1fc89f868fe6ee
Malware Config
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
https://cinems.club/search.php
https://clothes.surf/search.php
Extracted
redline
1
45.9.20.59:46287
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-144-0x0000000004C70000-0x0000000004C9E000-memory.dmp family_redline behavioral1/memory/1580-152-0x0000000004CF0000-0x0000000004D1C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
6DBA.exeSmartClock.exe96EE.exeE01D.exesdegsbs4EA7.exepid process 860 6DBA.exe 1488 SmartClock.exe 1204 96EE.exe 1580 E01D.exe 3720 sdegsbs 3144 4EA7.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3004 -
Drops startup file 1 IoCs
Processes:
6DBA.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 6DBA.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 192 192 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 392 3700 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sdegsbs9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe96EE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sdegsbs Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96EE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96EE.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sdegsbs Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sdegsbs Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96EE.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 2472 ipconfig.exe 4052 NETSTAT.EXE 3176 NETSTAT.EXE 2964 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3A04D2B-536B-11EC-B8A2-FE5CCB647586} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 1488 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exepid process 2708 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe 2708 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3004 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 616 -
Suspicious behavior: MapViewOfSection 61 IoCs
Processes:
9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe96EE.exesdegsbsexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2708 9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe 1204 96EE.exe 3720 sdegsbs 3004 3004 3004 3004 3004 3004 828 explorer.exe 828 explorer.exe 3004 3004 3180 explorer.exe 3180 explorer.exe 3004 3004 3716 explorer.exe 3716 explorer.exe 3004 3004 2292 explorer.exe 2292 explorer.exe 3004 3004 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 1360 explorer.exe 3004 3004 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe Token: 36 1760 WMIC.exe Token: SeIncreaseQuotaPrivilege 1760 WMIC.exe Token: SeSecurityPrivilege 1760 WMIC.exe Token: SeTakeOwnershipPrivilege 1760 WMIC.exe Token: SeLoadDriverPrivilege 1760 WMIC.exe Token: SeSystemProfilePrivilege 1760 WMIC.exe Token: SeSystemtimePrivilege 1760 WMIC.exe Token: SeProfSingleProcessPrivilege 1760 WMIC.exe Token: SeIncBasePriorityPrivilege 1760 WMIC.exe Token: SeCreatePagefilePrivilege 1760 WMIC.exe Token: SeBackupPrivilege 1760 WMIC.exe Token: SeRestorePrivilege 1760 WMIC.exe Token: SeShutdownPrivilege 1760 WMIC.exe Token: SeDebugPrivilege 1760 WMIC.exe Token: SeSystemEnvironmentPrivilege 1760 WMIC.exe Token: SeRemoteShutdownPrivilege 1760 WMIC.exe Token: SeUndockPrivilege 1760 WMIC.exe Token: SeManageVolumePrivilege 1760 WMIC.exe Token: 33 1760 WMIC.exe Token: 34 1760 WMIC.exe Token: 35 1760 WMIC.exe Token: 36 1760 WMIC.exe Token: SeIncreaseQuotaPrivilege 496 WMIC.exe Token: SeSecurityPrivilege 496 WMIC.exe Token: SeTakeOwnershipPrivilege 496 WMIC.exe Token: SeLoadDriverPrivilege 496 WMIC.exe Token: SeSystemProfilePrivilege 496 WMIC.exe Token: SeSystemtimePrivilege 496 WMIC.exe Token: SeProfSingleProcessPrivilege 496 WMIC.exe Token: SeIncBasePriorityPrivilege 496 WMIC.exe Token: SeCreatePagefilePrivilege 496 WMIC.exe Token: SeBackupPrivilege 496 WMIC.exe Token: SeRestorePrivilege 496 WMIC.exe Token: SeShutdownPrivilege 496 WMIC.exe Token: SeDebugPrivilege 496 WMIC.exe Token: SeSystemEnvironmentPrivilege 496 WMIC.exe Token: SeRemoteShutdownPrivilege 496 WMIC.exe Token: SeUndockPrivilege 496 WMIC.exe Token: SeManageVolumePrivilege 496 WMIC.exe Token: 33 496 WMIC.exe Token: 34 496 WMIC.exe Token: 35 496 WMIC.exe Token: 36 496 WMIC.exe Token: SeIncreaseQuotaPrivilege 496 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exepid process 4060 iexplore.exe 3004 3004 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3004 3004 3004 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4060 iexplore.exe 4060 iexplore.exe 3096 IEXPLORE.EXE 3096 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6DBA.execmd.exe4EA7.exepowershell.exenet.exedescription pid process target process PID 3004 wrote to memory of 860 3004 6DBA.exe PID 3004 wrote to memory of 860 3004 6DBA.exe PID 3004 wrote to memory of 860 3004 6DBA.exe PID 860 wrote to memory of 1488 860 6DBA.exe SmartClock.exe PID 860 wrote to memory of 1488 860 6DBA.exe SmartClock.exe PID 860 wrote to memory of 1488 860 6DBA.exe SmartClock.exe PID 3004 wrote to memory of 1204 3004 96EE.exe PID 3004 wrote to memory of 1204 3004 96EE.exe PID 3004 wrote to memory of 1204 3004 96EE.exe PID 3004 wrote to memory of 1580 3004 E01D.exe PID 3004 wrote to memory of 1580 3004 E01D.exe PID 3004 wrote to memory of 1580 3004 E01D.exe PID 3004 wrote to memory of 2444 3004 cmd.exe PID 3004 wrote to memory of 2444 3004 cmd.exe PID 2444 wrote to memory of 1760 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 1760 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 496 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 496 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3900 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3900 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3408 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3408 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2092 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2092 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3744 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3744 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2416 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2416 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3884 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 3884 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 660 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 660 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2616 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2616 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2584 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2584 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2112 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2112 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 1596 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 1596 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 4060 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 4060 2444 cmd.exe WMIC.exe PID 2444 wrote to memory of 2472 2444 cmd.exe ipconfig.exe PID 2444 wrote to memory of 2472 2444 cmd.exe ipconfig.exe PID 2444 wrote to memory of 916 2444 cmd.exe ROUTE.EXE PID 2444 wrote to memory of 916 2444 cmd.exe ROUTE.EXE PID 2444 wrote to memory of 1588 2444 cmd.exe netsh.exe PID 2444 wrote to memory of 1588 2444 cmd.exe netsh.exe PID 3004 wrote to memory of 3144 3004 4EA7.exe PID 3004 wrote to memory of 3144 3004 4EA7.exe PID 2444 wrote to memory of 2644 2444 cmd.exe systeminfo.exe PID 2444 wrote to memory of 2644 2444 cmd.exe systeminfo.exe PID 2444 wrote to memory of 3992 2444 cmd.exe tasklist.exe PID 2444 wrote to memory of 3992 2444 cmd.exe tasklist.exe PID 3144 wrote to memory of 804 3144 4EA7.exe powershell.exe PID 3144 wrote to memory of 804 3144 4EA7.exe powershell.exe PID 804 wrote to memory of 2112 804 powershell.exe csc.exe PID 804 wrote to memory of 2112 804 powershell.exe csc.exe PID 2444 wrote to memory of 3868 2444 cmd.exe net.exe PID 2444 wrote to memory of 3868 2444 cmd.exe net.exe PID 3868 wrote to memory of 2400 3868 net.exe net1.exe PID 3868 wrote to memory of 2400 3868 net.exe net1.exe PID 2444 wrote to memory of 2168 2444 cmd.exe net.exe PID 2444 wrote to memory of 2168 2444 cmd.exe net.exe -
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3700 -s 9282⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe"C:\Users\Admin\AppData\Local\Temp\9eaadbe85b2b4fa9503bd39def5fb82f3c11a601e841f5f4bf275797097b88c2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6DBA.exeC:\Users\Admin\AppData\Local\Temp\6DBA.exe1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\96EE.exeC:\Users\Admin\AppData\Local\Temp\96EE.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E01D.exeC:\Users\Admin\AppData\Local\Temp\E01D.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Roaming\sdegsbsC:\Users\Admin\AppData\Roaming\sdegsbs1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4EA7.exeC:\Users\Admin\AppData\Local\Temp\4EA7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptnbikda\ptnbikda.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A28.tmp" "c:\Users\Admin\AppData\Local\Temp\ptnbikda\CSC9C174859461429FA2196FD4F76D10F1.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hz5slpcy\hz5slpcy.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8302.tmp" "c:\Users\Admin\AppData\Local\Temp\hz5slpcy\CSCFE928FD8EF924558A822B22DE1A18ECD.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4EA7.exeMD5
7faddf1721f8f471bcbbd735e4032e1a
SHA19e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9
SHA2564a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c
SHA512cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53
-
C:\Users\Admin\AppData\Local\Temp\4EA7.exeMD5
7faddf1721f8f471bcbbd735e4032e1a
SHA19e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9
SHA2564a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c
SHA512cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53
-
C:\Users\Admin\AppData\Local\Temp\6DBA.exeMD5
92ad5f4dadf94f460b9d772dce9b1c0f
SHA1ad25d1207e96e498d478707b750355ef0ddad1d8
SHA256ed4ffa2ca336ad102c01c9c87ee5e7715701baad433c287d081869ba06a3b500
SHA512b2137e742d190d2dafa3904cafbb47d0f3fbc8787bb01a18a1ec4fcc0838bdf4fb336fc37972a268b0d5d3ced311ac5f1f7d0776e61977d354738baa1cd8d238
-
C:\Users\Admin\AppData\Local\Temp\6DBA.exeMD5
92ad5f4dadf94f460b9d772dce9b1c0f
SHA1ad25d1207e96e498d478707b750355ef0ddad1d8
SHA256ed4ffa2ca336ad102c01c9c87ee5e7715701baad433c287d081869ba06a3b500
SHA512b2137e742d190d2dafa3904cafbb47d0f3fbc8787bb01a18a1ec4fcc0838bdf4fb336fc37972a268b0d5d3ced311ac5f1f7d0776e61977d354738baa1cd8d238
-
C:\Users\Admin\AppData\Local\Temp\96EE.exeMD5
499efe1d511dbdffc0a645f11e1ac1c3
SHA12f2fba3061937283dd4145791838e79d5f488b44
SHA2563b84f6c845aa6d92f55f1b4f11f777414664bce0532789f1e6b6a9356ca324b2
SHA512610333080db54973d5fe4727fef6b1b7b07b2b956c2602d6b21b0deada58b2081152cf91888461524d2e302ef2f3e4e044f531c6c700514d762cb0c68805247c
-
C:\Users\Admin\AppData\Local\Temp\96EE.exeMD5
499efe1d511dbdffc0a645f11e1ac1c3
SHA12f2fba3061937283dd4145791838e79d5f488b44
SHA2563b84f6c845aa6d92f55f1b4f11f777414664bce0532789f1e6b6a9356ca324b2
SHA512610333080db54973d5fe4727fef6b1b7b07b2b956c2602d6b21b0deada58b2081152cf91888461524d2e302ef2f3e4e044f531c6c700514d762cb0c68805247c
-
C:\Users\Admin\AppData\Local\Temp\E01D.exeMD5
80d21448ab24f32d95636fc4bfcc9dd3
SHA183eeff289f191b3cbd6c673a190520060797b874
SHA256738b1b953356a26fe1eb27b386bd9a1a2d13ce004176584c1d33ef11d1de7cab
SHA512bf326edd10c2dda51eec0f4611f9bd6a84f2db3a3855d4b17f2b48812c36ee05304033a68dc9957d726bf8b93e95119709f54779625611ebb3dd66f9e927c5fb
-
C:\Users\Admin\AppData\Local\Temp\E01D.exeMD5
80d21448ab24f32d95636fc4bfcc9dd3
SHA183eeff289f191b3cbd6c673a190520060797b874
SHA256738b1b953356a26fe1eb27b386bd9a1a2d13ce004176584c1d33ef11d1de7cab
SHA512bf326edd10c2dda51eec0f4611f9bd6a84f2db3a3855d4b17f2b48812c36ee05304033a68dc9957d726bf8b93e95119709f54779625611ebb3dd66f9e927c5fb
-
C:\Users\Admin\AppData\Local\Temp\RES7A28.tmpMD5
1e2bf4a26f0a974fbf0536bd9f37a7bb
SHA16e4884c21f5ac20529549f3db63f219b6d2f6a80
SHA256c8d6e9cbc3ecb74a1c5a5c1e0789347edc84ad7ccb1be049aecff361bfafccab
SHA512315cab2e277e0703361009a28484030dbfa3be13e999037ac643e299b37205e21a2902b0ce056db054e659a68c4c59d6988bb9f57740fc833cc225ab8904d84d
-
C:\Users\Admin\AppData\Local\Temp\RES8302.tmpMD5
25fcd0fc8a39f5918ac2b45ac85ff514
SHA1a7c92186b64ee0fd2d5a24761568c16b654930ef
SHA256674fcd4836a285bfe7ec8c85f7429b1ae2f3fcbd8def96dbcdc610fe23337641
SHA512c2de3dde2733277cbc827af60a3be44b3dc2b481c9405c6b48a507b0ff21978961acc70785f14f71491f0e2051b9c935bfbb1e476aa74c5be4a2f7a0404c329a
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
df87d6d93b1ec74fc876c6b46e408d37
SHA11ba00c449d9132e6a481a98c5c98654c49e41352
SHA25625fc99f93932f10299fbe3b9ee2cad331f9d6ada033e6ade943b8d779f4dfe7d
SHA512130990d37a35a53e361a8f973b0e952dbd00763f3b8dbcc4fc83998b064e7433ee6256fc321c230ddcd6c166f3562e40b16c91f2a3d74775534b59075c10a692
-
C:\Users\Admin\AppData\Local\Temp\hz5slpcy\hz5slpcy.dllMD5
48284cc4763750badb229ac6dfe6b9b9
SHA192d791447b3f15ed659c4db26d2d6e991e193d2d
SHA256ecd246832bc65ac90aea3e805969546d43298518d396824b85ea4ef9ff0eaf3e
SHA512e22bffa06d393f11c19a40ff9d66ac4b1335c7d76156f55180f5d27cb89de148c3ed84fad6ac121c89d242e499059fe2451b50e24ba83d1af4b0ee4b0dfb6ef5
-
C:\Users\Admin\AppData\Local\Temp\ptnbikda\ptnbikda.dllMD5
b6e7cfcdb51b13174d61ba94f867cfc0
SHA1c97f12cc379f045f6ef664115153c7b829361efd
SHA2565ce9281071b66493cf8de82e68007513571f7ac70e2902f6ffea6f09ed288b40
SHA512d23c1ab2240b56a503ec1da6adf18f8f42bf81cc7d4a9b8a651df027fad649d62785a442a198cbef8b45b1be562a7780ce4ea6e22bbf4c866b88e0a1fe0bc8ab
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
92ad5f4dadf94f460b9d772dce9b1c0f
SHA1ad25d1207e96e498d478707b750355ef0ddad1d8
SHA256ed4ffa2ca336ad102c01c9c87ee5e7715701baad433c287d081869ba06a3b500
SHA512b2137e742d190d2dafa3904cafbb47d0f3fbc8787bb01a18a1ec4fcc0838bdf4fb336fc37972a268b0d5d3ced311ac5f1f7d0776e61977d354738baa1cd8d238
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
92ad5f4dadf94f460b9d772dce9b1c0f
SHA1ad25d1207e96e498d478707b750355ef0ddad1d8
SHA256ed4ffa2ca336ad102c01c9c87ee5e7715701baad433c287d081869ba06a3b500
SHA512b2137e742d190d2dafa3904cafbb47d0f3fbc8787bb01a18a1ec4fcc0838bdf4fb336fc37972a268b0d5d3ced311ac5f1f7d0776e61977d354738baa1cd8d238
-
C:\Users\Admin\AppData\Roaming\sdegsbsMD5
499efe1d511dbdffc0a645f11e1ac1c3
SHA12f2fba3061937283dd4145791838e79d5f488b44
SHA2563b84f6c845aa6d92f55f1b4f11f777414664bce0532789f1e6b6a9356ca324b2
SHA512610333080db54973d5fe4727fef6b1b7b07b2b956c2602d6b21b0deada58b2081152cf91888461524d2e302ef2f3e4e044f531c6c700514d762cb0c68805247c
-
C:\Users\Admin\AppData\Roaming\sdegsbsMD5
499efe1d511dbdffc0a645f11e1ac1c3
SHA12f2fba3061937283dd4145791838e79d5f488b44
SHA2563b84f6c845aa6d92f55f1b4f11f777414664bce0532789f1e6b6a9356ca324b2
SHA512610333080db54973d5fe4727fef6b1b7b07b2b956c2602d6b21b0deada58b2081152cf91888461524d2e302ef2f3e4e044f531c6c700514d762cb0c68805247c
-
\??\c:\Users\Admin\AppData\Local\Temp\hz5slpcy\CSCFE928FD8EF924558A822B22DE1A18ECD.TMPMD5
147337f31efc6db324ab710d9788ed12
SHA15baf8ff5d1231d5462adf8f4cdc9a3209ec84625
SHA2561ee209ff9e44780ffba2d97bb8fff56e3a4f177b12a7eb7ad9da8198858d7d3f
SHA5122150283f99f1da86bdc075b31fd89919bb4f4936e6bda3d22ce14a547571908f6740b2e5d411f4351e972916f0c1bdf9ee4bcd2eb1f6071a09a5a11c06f1f185
-
\??\c:\Users\Admin\AppData\Local\Temp\hz5slpcy\hz5slpcy.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\hz5slpcy\hz5slpcy.cmdlineMD5
c6933202044e3c45695dfac384b761a7
SHA188ac0a3a034a0ed9c604c4db0ebed952894f0df8
SHA25618923907e328177e4ac98fe7b71fb6960c412030540332b1611a085a9b107414
SHA512e255bcba31d747a112a69f268411d2aa6d1a92c8b51857a43d62e77f6a1b06faedaee576d08eae489e4ecce69ee95a2914389c4b2984e0ccdd55715fb2ee4c19
-
\??\c:\Users\Admin\AppData\Local\Temp\ptnbikda\CSC9C174859461429FA2196FD4F76D10F1.TMPMD5
c08a205868f9d44563c0a89be30ba11e
SHA1110f9b4006b73e3b2c25710018913aeeeed018a5
SHA256f68d07e94327f96b66255be87419179f02dba9ad5aa9a80d7d28316f4c4a195e
SHA51250a479bd0e31f0d61ce4265660f0d92fca5f3bb0e00bb5b47c00dc31db58de19f848f4df20d716dc1b177c9016d286ae1efafac32d7595978b140eb45597daf6
-
\??\c:\Users\Admin\AppData\Local\Temp\ptnbikda\ptnbikda.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ptnbikda\ptnbikda.cmdlineMD5
880218bc37e2ecc468cdaa7de3ba942a
SHA1782ad48c1bcf9c6a0c4f781e2c307e1d11f2f353
SHA2569eafbcc0af56208bf7132ed4111cee4c2758e8eb565af04716bfee0f5b17c5c8
SHA512685126eb7c41823e2b6304f97deb2fb9e481583db996cfc647248f98a7e98d61741f68798a921fc6ddc000ada9d2a6d3955971d43434013405faa7949ad5c8e9
-
\Windows\Branding\mediasrv.pngMD5
817b407a7b13f1e8010f65685a3a953f
SHA143c5d8a426864a893540ff93efa0ce9a54059981
SHA256c168afed57a9b2960b58ff8a99afabcac9eaf4c341cf489f412d27d9a4494e54
SHA5126c1b1737f629cb842444a018b3f3828147a4d986136c37020a44f39de450721325c82396618318481aeca90f30c36ee2789b8a3facf59ecc2afcff30091f0805
-
\Windows\Branding\mediasvc.pngMD5
c9e06976020650f39385fdb2d73b009c
SHA181c894055ca5d4efd62d97087598e8cb23bcda36
SHA256741cd5c361878f530e5641891a34089375b53d7f52eebb98e7ed9195bb5b1a72
SHA512b8e50d313d249c8f633003277b90a4edfaa20157881c22edaa6ca6aa181a450be2722cae9ff2a27cde5b718f14f07104fdb4ca067afbe0ee809cb308b9dd617b
-
memory/496-154-0x0000000000000000-mapping.dmp
-
memory/660-173-0x0000000000000000-mapping.dmp
-
memory/804-221-0x00000215BBAA6000-0x00000215BBAA8000-memory.dmpFilesize
8KB
-
memory/804-206-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-213-0x00000215BBAA0000-0x00000215BBAA2000-memory.dmpFilesize
8KB
-
memory/804-263-0x00000215BCEA0000-0x00000215BCEA1000-memory.dmpFilesize
4KB
-
memory/804-262-0x00000215BCB10000-0x00000215BCB11000-memory.dmpFilesize
4KB
-
memory/804-260-0x00000215BBAA8000-0x00000215BBAA9000-memory.dmpFilesize
4KB
-
memory/804-258-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-257-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-253-0x00000215BC4E0000-0x00000215BC4E1000-memory.dmpFilesize
4KB
-
memory/804-214-0x00000215BBAA3000-0x00000215BBAA5000-memory.dmpFilesize
8KB
-
memory/804-215-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-202-0x0000000000000000-mapping.dmp
-
memory/804-203-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-204-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-205-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-211-0x00000215BC520000-0x00000215BC521000-memory.dmpFilesize
4KB
-
memory/804-236-0x00000215BC4A0000-0x00000215BC4A1000-memory.dmpFilesize
4KB
-
memory/804-207-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-210-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-209-0x00000215A1BB0000-0x00000215A1BB2000-memory.dmpFilesize
8KB
-
memory/804-208-0x00000215BC370000-0x00000215BC371000-memory.dmpFilesize
4KB
-
memory/828-480-0x0000000002900000-0x000000000290B000-memory.dmpFilesize
44KB
-
memory/828-479-0x0000000002910000-0x0000000002917000-memory.dmpFilesize
28KB
-
memory/828-478-0x0000000000000000-mapping.dmp
-
memory/860-123-0x0000000004910000-0x00000000049A1000-memory.dmpFilesize
580KB
-
memory/860-124-0x0000000000400000-0x0000000002BEA000-memory.dmpFilesize
39.9MB
-
memory/860-119-0x0000000000000000-mapping.dmp
-
memory/860-122-0x0000000004760000-0x00000000047DF000-memory.dmpFilesize
508KB
-
memory/888-162-0x00000261B7FD0000-0x00000261B7FD2000-memory.dmpFilesize
8KB
-
memory/888-161-0x00000261B7FD0000-0x00000261B7FD2000-memory.dmpFilesize
8KB
-
memory/916-187-0x0000000000000000-mapping.dmp
-
memory/1204-130-0x0000000000000000-mapping.dmp
-
memory/1204-134-0x0000000002C80000-0x0000000002DCA000-memory.dmpFilesize
1.3MB
-
memory/1204-133-0x0000000002C60000-0x0000000002C68000-memory.dmpFilesize
32KB
-
memory/1204-135-0x0000000000400000-0x0000000002B72000-memory.dmpFilesize
39.4MB
-
memory/1360-495-0x0000000002C20000-0x0000000002C26000-memory.dmpFilesize
24KB
-
memory/1360-496-0x0000000002C10000-0x0000000002C1B000-memory.dmpFilesize
44KB
-
memory/1360-494-0x0000000000000000-mapping.dmp
-
memory/1488-125-0x0000000000000000-mapping.dmp
-
memory/1488-129-0x0000000000400000-0x0000000002BEA000-memory.dmpFilesize
39.9MB
-
memory/1488-128-0x0000000002C80000-0x0000000002DCA000-memory.dmpFilesize
1.3MB
-
memory/1488-498-0x00000000001C0000-0x00000000001CB000-memory.dmpFilesize
44KB
-
memory/1488-497-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1576-514-0x0000000000000000-mapping.dmp
-
memory/1580-164-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/1580-149-0x0000000007523000-0x0000000007524000-memory.dmpFilesize
4KB
-
memory/1580-243-0x0000000000000000-mapping.dmp
-
memory/1580-137-0x0000000000000000-mapping.dmp
-
memory/1580-185-0x0000000008EB0000-0x0000000008EB1000-memory.dmpFilesize
4KB
-
memory/1580-140-0x0000000002C10000-0x0000000002D5A000-memory.dmpFilesize
1.3MB
-
memory/1580-141-0x00000000047C0000-0x00000000047F9000-memory.dmpFilesize
228KB
-
memory/1580-142-0x0000000000400000-0x0000000002B95000-memory.dmpFilesize
39.6MB
-
memory/1580-160-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/1580-159-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/1580-157-0x0000000007A30000-0x0000000007A31000-memory.dmpFilesize
4KB
-
memory/1580-143-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/1580-144-0x0000000004C70000-0x0000000004C9E000-memory.dmpFilesize
184KB
-
memory/1580-184-0x0000000008CE0000-0x0000000008CE1000-memory.dmpFilesize
4KB
-
memory/1580-183-0x0000000008600000-0x0000000008601000-memory.dmpFilesize
4KB
-
memory/1580-182-0x0000000008390000-0x0000000008391000-memory.dmpFilesize
4KB
-
memory/1580-181-0x00000000083C0000-0x00000000083C1000-memory.dmpFilesize
4KB
-
memory/1580-165-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/1580-179-0x00000000082D0000-0x00000000082D1000-memory.dmpFilesize
4KB
-
memory/1580-152-0x0000000004CF0000-0x0000000004D1C000-memory.dmpFilesize
176KB
-
memory/1580-163-0x0000000007524000-0x0000000007526000-memory.dmpFilesize
8KB
-
memory/1580-150-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/1580-148-0x0000000007522000-0x0000000007523000-memory.dmpFilesize
4KB
-
memory/1588-188-0x0000000000000000-mapping.dmp
-
memory/1596-178-0x0000000000000000-mapping.dmp
-
memory/1708-515-0x0000000000000000-mapping.dmp
-
memory/1736-228-0x0000000000000000-mapping.dmp
-
memory/1760-153-0x0000000000000000-mapping.dmp
-
memory/1836-227-0x0000000000000000-mapping.dmp
-
memory/2092-158-0x0000000000000000-mapping.dmp
-
memory/2112-177-0x0000000000000000-mapping.dmp
-
memory/2112-219-0x0000000000000000-mapping.dmp
-
memory/2116-471-0x0000000003070000-0x00000000030DB000-memory.dmpFilesize
428KB
-
memory/2116-458-0x0000000000000000-mapping.dmp
-
memory/2116-470-0x00000000030E0000-0x0000000003155000-memory.dmpFilesize
468KB
-
memory/2168-225-0x0000000000000000-mapping.dmp
-
memory/2280-256-0x0000000000000000-mapping.dmp
-
memory/2292-490-0x0000000000000000-mapping.dmp
-
memory/2292-492-0x00000000004C0000-0x00000000004CC000-memory.dmpFilesize
48KB
-
memory/2292-491-0x00000000004D0000-0x00000000004D6000-memory.dmpFilesize
24KB
-
memory/2316-468-0x0000023163838000-0x000002316383A000-memory.dmpFilesize
8KB
-
memory/2316-431-0x0000023163836000-0x0000023163838000-memory.dmpFilesize
8KB
-
memory/2316-408-0x0000000000000000-mapping.dmp
-
memory/2316-428-0x0000023163830000-0x0000023163832000-memory.dmpFilesize
8KB
-
memory/2316-430-0x0000023163833000-0x0000023163835000-memory.dmpFilesize
8KB
-
memory/2348-502-0x000002AAC4310000-0x000002AAC4311000-memory.dmpFilesize
4KB
-
memory/2400-224-0x0000000000000000-mapping.dmp
-
memory/2416-171-0x0000000000000000-mapping.dmp
-
memory/2444-151-0x0000000000000000-mapping.dmp
-
memory/2472-186-0x0000000000000000-mapping.dmp
-
memory/2472-365-0x0000000000000000-mapping.dmp
-
memory/2472-377-0x000001EAD2800000-0x000001EAD2802000-memory.dmpFilesize
8KB
-
memory/2472-411-0x000001EAD2808000-0x000001EAD280A000-memory.dmpFilesize
8KB
-
memory/2472-409-0x000001EAD2806000-0x000001EAD2808000-memory.dmpFilesize
8KB
-
memory/2472-379-0x000001EAD2803000-0x000001EAD2805000-memory.dmpFilesize
8KB
-
memory/2584-176-0x0000000000000000-mapping.dmp
-
memory/2616-175-0x0000000000000000-mapping.dmp
-
memory/2644-200-0x0000000000000000-mapping.dmp
-
memory/2708-116-0x0000000002CF0000-0x0000000002CF9000-memory.dmpFilesize
36KB
-
memory/2708-117-0x0000000000400000-0x0000000002B72000-memory.dmpFilesize
39.4MB
-
memory/2708-115-0x0000000002CE0000-0x0000000002CE8000-memory.dmpFilesize
32KB
-
memory/2776-226-0x0000000000000000-mapping.dmp
-
memory/2808-513-0x0000000000000000-mapping.dmp
-
memory/2856-233-0x0000000000000000-mapping.dmp
-
memory/2916-240-0x0000000000000000-mapping.dmp
-
memory/2940-241-0x0000000000000000-mapping.dmp
-
memory/2964-261-0x0000000000000000-mapping.dmp
-
memory/3004-146-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3004-136-0x0000000002610000-0x0000000002626000-memory.dmpFilesize
88KB
-
memory/3004-266-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3004-267-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3004-147-0x00000000041B0000-0x00000000041BF000-memory.dmpFilesize
60KB
-
memory/3004-192-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3004-145-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3004-174-0x00000000043B0000-0x00000000043C6000-memory.dmpFilesize
88KB
-
memory/3004-118-0x0000000000650000-0x0000000000666000-memory.dmpFilesize
88KB
-
memory/3096-299-0x0000000000000000-mapping.dmp
-
memory/3136-239-0x0000000000000000-mapping.dmp
-
memory/3144-199-0x00000164B6BF6000-0x00000164B6BF7000-memory.dmpFilesize
4KB
-
memory/3144-198-0x00000164B6BF5000-0x00000164B6BF6000-memory.dmpFilesize
4KB
-
memory/3144-197-0x00000164B6BF3000-0x00000164B6BF5000-memory.dmpFilesize
8KB
-
memory/3144-196-0x00000164B6BF0000-0x00000164B6BF2000-memory.dmpFilesize
8KB
-
memory/3144-189-0x0000000000000000-mapping.dmp
-
memory/3144-194-0x00000164D1010000-0x00000164D12DE000-memory.dmpFilesize
2.8MB
-
memory/3164-231-0x0000000000000000-mapping.dmp
-
memory/3168-229-0x0000000000000000-mapping.dmp
-
memory/3176-246-0x0000000000000000-mapping.dmp
-
memory/3180-481-0x0000000000000000-mapping.dmp
-
memory/3180-483-0x0000000000550000-0x000000000055E000-memory.dmpFilesize
56KB
-
memory/3180-482-0x0000000000560000-0x0000000000569000-memory.dmpFilesize
36KB
-
memory/3320-244-0x0000000000000000-mapping.dmp
-
memory/3396-472-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/3396-467-0x0000000000000000-mapping.dmp
-
memory/3396-469-0x0000000000340000-0x0000000000347000-memory.dmpFilesize
28KB
-
memory/3408-156-0x0000000000000000-mapping.dmp
-
memory/3456-238-0x0000000000000000-mapping.dmp
-
memory/3680-501-0x00000000006F0000-0x00000000006FD000-memory.dmpFilesize
52KB
-
memory/3680-500-0x0000000000700000-0x0000000000707000-memory.dmpFilesize
28KB
-
memory/3680-499-0x0000000000000000-mapping.dmp
-
memory/3716-487-0x0000000000000000-mapping.dmp
-
memory/3716-489-0x0000000002920000-0x0000000002929000-memory.dmpFilesize
36KB
-
memory/3716-488-0x0000000002930000-0x0000000002935000-memory.dmpFilesize
20KB
-
memory/3720-168-0x0000000002BE0000-0x0000000002BE9000-memory.dmpFilesize
36KB
-
memory/3720-169-0x0000000000400000-0x0000000002B72000-memory.dmpFilesize
39.4MB
-
memory/3744-170-0x0000000000000000-mapping.dmp
-
memory/3748-331-0x0000027D6CC76000-0x0000027D6CC78000-memory.dmpFilesize
8KB
-
memory/3748-327-0x0000027D6CC73000-0x0000027D6CC75000-memory.dmpFilesize
8KB
-
memory/3748-326-0x0000027D6CC70000-0x0000027D6CC72000-memory.dmpFilesize
8KB
-
memory/3748-308-0x0000000000000000-mapping.dmp
-
memory/3748-230-0x0000000000000000-mapping.dmp
-
memory/3868-223-0x0000000000000000-mapping.dmp
-
memory/3884-172-0x0000000000000000-mapping.dmp
-
memory/3900-155-0x0000000000000000-mapping.dmp
-
memory/3948-249-0x0000000000000000-mapping.dmp
-
memory/3992-201-0x0000000000000000-mapping.dmp
-
memory/4052-242-0x0000000000000000-mapping.dmp
-
memory/4060-484-0x0000019086780000-0x0000019086781000-memory.dmpFilesize
4KB
-
memory/4060-275-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-274-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-276-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-278-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-279-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-493-0x00000190887E0000-0x00000190887E1000-memory.dmpFilesize
4KB
-
memory/4060-280-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-281-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-283-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4060-180-0x0000000000000000-mapping.dmp
-
memory/4060-282-0x00007FFD17D20000-0x00007FFD17D8B000-memory.dmpFilesize
428KB
-
memory/4088-245-0x0000000000000000-mapping.dmp